Private DNS: Best Practices

Twingate generally recommends that your network be configured with Resources accessible via private DNS exclusively. There are several advantages to using private DNS:

  1. Creating public DNS entries for Resources on the private network leaks information that could be used by attackers and is unnecessary.
  2. Accessing Resources by IP address is error-prone and not user-friendly.
  3. Since Twingate allows you to connect to Resources on multiple private networks at once, it is possible that two Resources could have the same IP address, and you will be unable to connect to one of them. Using DNS names instead of IPs removes the ambiguity and allows you to connect to both Resources, even if they are assigned the same private IP.

Setup and Structure

Setting up a private DNS zone is easier now than it's ever been! Services like AWS Route 53 and Azure DNS eliminate the need to deploy a dedicated DNS server yourself. For on premises networks, you will usually want to deploy a DNS server on a host on the internal network.

Thinking a bit about your DNS structure before deploying will pay off in the end. It can be very useful to define DNS zones that map to permissions you'd like to configure in Twingate. For example, if all the internal engineering systems are under .engineering.yourcompany.com, you can add a *.engineering.yourcompany.com Resource and assign it to the Engineering Group. This means any new systems added underneath that zone will automatically give access to the engineering team, saving you trouble configuring these Resources manually.

Configuring Twingate

Configuration is extremely simple: Just make sure the Connector for the Remote Network that the Resource in question is on is able to resolve the private domain. To confirm this, you can log into the Connector host and run nslookup RESOURCE, replacing RESOURCE with the hostname in question. That's it!

While there is an option to configure a custom DNS server for the Connector, in general this should not be needed and can make configuration more difficult, so we recommend not specifying this, which will cause Twingate to use whatever DNS servers are configured on the Connector host.


Did this page help you?